Technical Organisational Measures

Description of the technical and organisational security measures implemented by the data importer.

  1. Data Protection
    1. Security measures applicable to components of the 15Five System under 15Five’s control are designed to protect Customer Personal Data (referred to herein as, “Controller Personal Data”), and to maintain the availability of such Controller Personal Data pursuant to the Agreement and applicable Order Forms.
    2. 15Five will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with National Institute of Standards and Technology, United States Department of Commerce (“NIST”) guidelines for media sanitization.
  2. Security Policies
    1. 15Five will maintain and follow IT security policies and practices that are applicable to all 15Five employees, including supplemental personnel.
    2. 15Five will review its IT security policies at least annually and amend such policies as 15Five deems reasonable to maintain protection of the 15Five System and Controller Personal Data.
    3. 15Five will maintain and follow standard employment verification requirements for all new hires. In accordance with 15Five internal processes and procedures, these requirements will be periodically reviewed and may include, but are not limited to, criminal background checks and identity validation.
    4. 15Five employees will complete security and privacy education annually and certify each year that they will comply with 15Five’s ethical business conduct, confidentiality, and security policies, as set out in 15Five’s acceptable use agreement. Additional policy and process training will be provided to persons granted administrative access to components of the 15Five System under 15Five’s control.
  3. Security Incidents
    1. 15Five will maintain and follow documented incident response policies consistent with NIST guidelines for computer security incident handling.
    2. 15Five will investigate unauthorized access and unauthorized use of Controller Personal Data of which 15Five becomes aware. Customer may notify 15Five of a suspected vulnerability or incident by submitting a technical support case for 15Five evaluation.
  4. Physical Security and Entry Control
    1. 15Five will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, designed to protect against unauthorized entry into 15Five facilities.
    2. Access to certain 15Five facilities and controlled areas within 15Five facilities will be limited by job role and subject to appropriate authorization. Use of an access badge to enter such facilities and controlled areas will be logged, and such logs will be retained for not less than one year.
    3. 15Five will take precautions to protect 15Five System physical infrastructure under its control against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.
  5. Access, Intervention, Transfer and Separation Control
    1. 15Five will maintain documented security architecture of networks controlled by 15Five in its operation of the 15Five System. 15Five will review such network architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with 15Five’s secure segmentation, isolation, and defense standards. 15Five may use wireless networking technology in its maintenance and support of the 15Five System and associated components. Such wireless networks, if any, will be encrypted and require secure authentication.
    2. 15Five will maintain measures designed to logically separate and prevent Controller Personal Data from being exposed to or accessed by unauthorized persons.
    3. 15Five will encrypt Controller Personal Data when transferring Controller Personal Data over public networks, and enable use of a cryptographic protocol, such as HTTPS, SFTP, and FTPS, for secure transfer of Controller Personal Data.
    4. 15Five will encrypt Controller Personal Data at rest.
    5. Consistent with industry standard practices, and to the extent natively supported by each component controlled by 15Five within the 15Five System, 15Five will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.
    6. 15Five will monitor use of 15Five System components under its control in a manner designed to identify unauthorized access and activity and enable internal and independent third party audits of compliance with documented 15Five policy.
    7. Access and activity logs with respect to components of the 15Five System under 15Five’s control are recorded and will be retained in compliance with 15Five’s records retention policy. 15Five will maintain measures designed to protect against unauthorized access to, and/or modification or destruction of such logs.
  6. Integrity and Availability Control
    1. 15Five performs penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter, and enlists a qualified independent third party to perform penetration testing of components of the 15Five System under 15Five’s control at least annually.
    2. 15Five maintains policies and procedures designed to manage risks associated with the application of changes to components of the 15Five System under 15Five’s control. Prior to implementation, changes to components of the 15Five System under 15Five’s control will be documented in a change request that includes a description and reason for the change, implementation details and schedule, a risk statement addressing impact to the 15Five System, expected outcome, rollback plan, and documented approval by authorized personnel.
    3. 15Five will maintain an inventory of all information technology assets under 15Five’s control used in its operation of the 15Five System. 15Five will continuously monitor the health and availability of components of the 15Five System under 15Five’s control.
    4. Components of the 15Five System under 15Five’s control will be assessed for business continuity and disaster recovery requirements pursuant to documented risk management guidelines.
    5. 15Five will (i) backup systems containing Controller Personal Data daily; (ii) ensure at least one backup destination is at a location separate from production systems; (iii) encrypt backup data stored on portable backup media; and (iv) validate backup process integrity by regularly performing data restoration testing.
    6. 15Five will maintain measures designed to assess, test, and apply security advisory patches to components of the 15Five System under 15Five’s control. Upon determining a security advisory patch is applicable and appropriate, 15Five will implement the patch pursuant to documented risk assessment guidelines. Implementation of security advisory patches will be subject to 15Five change management policy.